Security Restrict Permissions help needed

#1

I have set up a Server Action to list all the users in my database and I am populating a dropdown with the data. It works insofar as I get a list of all the users.

What I am having trouble with is restricting access to just my ‘Super Admin’ user group. I am using a two table system - one for users and one for groups. A user can be in multiple groups. Regardless of what I set in the “Restrict Properties, permission” box I can always get the list of users if I am logged in.

This is my setup for the Security Restrict:

This is my setup for my permissions:

It is my understanding that this set up should produce the following MySQL query for a user with the identity of 10:
SELECT * FROM users JOIN tbl_group_members ON users.id = tbl_group_members.user_id WHERE user_id = 10 AND group_id = 1

In my database this returns no records (user 10 is not a Super Admin) - my assumption was that this would cause the query to not be run or returned. However I still get a full response of all the records I asked for.

I have tried multiple combinations of users in the group, not in the group, user not in the groups table or user table etc and they all return all the records requested as if user 10 is a Super Admin. The only time that does not happen is when I am logged out.

Any thoughts any one about what I am missing here?

#2

Please have a look at https://community.wappler.io/c/docs/security-and-login, in particular the section called Getting Details of the Logged In User and Binding them to your page

If you still have a problem, please come back here.

#3

Hey Ben, my explanation may not have been clear - but I don’t think what you linked to is my problem. I have successfully worked through most of the tutorials for Wappler and been able to get my app up and running.

The problem is that there only seem to be two levels of access - logged in or logged out. When I am logged in the group membership table has no effect on the data returned. What I want is to be logged in and only get data returned if the user is a member of a particular group.

#4

I had a faint suspicion that I had not grasped the essence of your question. Therefore I’ll try again.

In the users table, you undoubtedly have a column named UserLevel or similar. When a user logs in using the procedure in the second link, all of the inforation regarding that user is available, including the UserLevel. In App Connect, you can use that information to show or hide contents as I have done by

dmx-show="scUser.data.qryUsers[0].UserLevel=='Admin'"

Hopefully this will help.

#5

I have followed this tutorial previously and it all works great for me. So let me expand a little more about what I am trying to accomplish.
I am creating an Admin page. On the admin page I want to be able to display a dropdown menu that lists all of the users of my app - so every user listed in the ‘users’ database table. I can successfully do this.

What I can’t do is prevent that list from populating for anyone who is logged in. So User 1 is in the ‘Super Admin’ group and ‘User 2’ is not. Even when I set the permission in ‘Security Restrict’ (like the image above) to Super Admin - both User 1 and User 2 can see the list.

Sure, I can hide it on the client side but that doesn’t make it secure - just hidden. Changing the permission in Security Restrict currently makes no difference to who can see the data.

FYI: I use an id number rather than a text string for the group identification but this shouldn’t change the principal. group_id #1 is the Super Admin group.

#6

I have accomplished what I need now but had to add a condition that utilizes a database lookup instead of the security restrict function.

If anyone can write a tutorial about Security restrict and groups using the two table method that would be great because I have spent hours on it and can’t figure it out.

I did watch this video by @Hyperbytes about it but it is not a full tutorial and doesn’t show the process in action. At 5:21 he asks a question but doesn’t ever show the last part of the process functioning in conjunction with Security Restrict.

#7

Have a look at https://www.youtube.com/watch?v=-xIdr1zoCaU&list=PLUjqTJN3byC9gPAJQn6Z5F6YEa3y-CAsC&index=8&t=3s

Bug Report from ASmyth #2019-3-2_23-21-55
#8

I have been playing around with Security Restrict for a few days and I can’t get it to function how I think it should. It is possible that it is not supposed to do what I want it to but I would like to verify this.

I have followed this tutorial by @George and it works great. What doesn’t work is when I try to go beyond the tutorial and restrict the data to a group with a condition on it - something more restrictive than ‘All Logged in’.

I have set up a test connection to my database and am listing all the records from a single table - a simple ‘select id, email from users’ query. When I use Security Restrict on the server action to only show the information to a logged in user it works as expected. When I am logged in I can see the data - when I am logged out I can’t.

However, when I try to add the groups table to the Security Provider and set conditions it has no impact at all. I am pretty sure I have it set up correctly (see the images in the first post of this thread) but to look a little deeper I logged all the Select queries on my DB and I don’t see any query checking to see what groups the user is in when they try to access the data. If this is not happening how can the Security Restrict know who to grant or restrict access to?

I believe that something is not working with Security Restrict but would love someone to show me where I am going wrong. A simple tutorial about how to restrict the data using a groups table would be great (I can’t find one).

#10

I have looked at that video series and have not been able to find anything relevant to the problem that I am having but it is possible that I just missed it.